Skip to main content

Fediverse Embeds CVE-2026-46698

| EUVDEUVD-2026-36270 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-06-11 GitHub_M
5.3
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
5.3 MEDIUM

Network-reachable unauthenticated endpoint; nonce trivially extracted from public pages; confidentiality limited to SSRF-readable responses; no integrity or availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jun 11, 2026 - 19:01 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 18:19 vuln.today
Analysis Generated
Jun 11, 2026 - 18:19 vuln.today
CVE Published
Jun 11, 2026 - 17:15 cve.org
MEDIUM 5.3

DescriptionCVE.org

Fediverse Embeds embeds fediverse posts on WordPress sites. Prior to version 1.5.9, Fediverse Embeds registered the unauthenticated AJAX action wp_ajax_nopriv_ftf_get_site_info (includes/Site_Info.php) that verified a nonce ftf-fediverse-embeds-nonce and then called file_get_html($site_url) on the attacker-supplied URL. The same nonce was enqueued onto every public page containing a fediverse embed (via includes/Enqueue_Assets.php lines 41-46 + includes/Helpers.php lines 64-83), so the nonce gate was not an authentication boundary; any visitor of a public post with an embed could grab it and reuse it. This issue has been patched in version 1.5.9.

AnalysisAI

Server-Side Request Forgery in the Fediverse Embeds WordPress plugin (versions prior to 1.5.9) allows any unauthenticated visitor to cause the WordPress server to fetch an arbitrary URL by abusing a publicly exposed AJAX endpoint. The nonce mechanism guarding the endpoint (ftf-fediverse-embeds-nonce) is not an authentication boundary - the same nonce is embedded into every public page containing a fediverse embed, making it trivially obtainable by any site visitor. Once obtained, the nonce can be replayed to invoke file_get_html($site_url) with an attacker-controlled URL, potentially exposing internal services such as cloud provider metadata endpoints. No active exploitation has been confirmed (CVE is not in CISA KEV) and no public proof-of-concept has been identified at time of analysis.

Technical ContextAI

The vulnerability is rooted in CWE-918 (Server-Side Request Forgery) within the PHP-based Fediverse Embeds WordPress plugin (CPE: cpe:2.3:a:stefanbohacek:fediverse-embeds-wordpress-plugin). WordPress's wp_ajax_nopriv_ hook prefix registers AJAX actions that execute for unauthenticated (logged-out) users, and the plugin registered wp_ajax_nopriv_ftf_get_site_info in includes/Site_Info.php. This action accepted a caller-supplied site_url parameter and passed it directly to file_get_html() from the PHP Simple HTML DOM Parser library - a function that performs a full HTTP fetch of the supplied URL. The nonce check (ftf-fediverse-embeds-nonce) was bypassed in practice because includes/Enqueue_Assets.php (lines 41-46) and includes/Helpers.php (lines 64-83) enqueued this same nonce value into every public page rendering a fediverse embed. The fix in version 1.5.9 (commit 93821405790ccc7a80528e91b34b624606b54969) introduces Helpers::is_safe_url() and Helpers::is_safe_host() methods that enforce http/https scheme restrictions, resolve hostnames via DNS (A and AAAA records), and reject any destination resolving to private or reserved IP ranges using PHP's FILTER_FLAG_NO_PRIV_RANGE | FILTER_FLAG_NO_RES_RANGE flags, preventing SSRF to internal network resources.

RemediationAI

Upgrade to Fediverse Embeds version 1.5.9 or later, which patches the vulnerability by adding Helpers::is_safe_url() and Helpers::is_safe_host() validation before any outbound fetch is performed - blocking private ranges, reserved IPs, and non-http(s) schemes. The fix is confirmed at commit 93821405790ccc7a80528e91b34b624606b54969 and the advisory is at https://github.com/stefanbohacek/fediverse-embeds-wordpress-plugin/security/advisories/GHSA-cr42-rgq6-whjh. If immediate patching is not feasible, two compensating controls are available with trade-offs: (1) Disable the Fediverse Embeds plugin entirely - eliminates the attack surface completely but removes all embed functionality; (2) Implement egress firewall rules on the WordPress server blocking outbound HTTP/HTTPS to RFC 1918 ranges (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16), loopback (127.0.0.0/8), and link-local (169.254.0.0/16) - this blocks the highest-impact SSRF targets (cloud metadata, internal APIs) but does not prevent SSRF to external hosts, and may require adjustment if the server legitimately needs those routes.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-46698 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy